Slashdot Mirror

← Back to Stories (view on slashdot.org)

OWASP's VulnXML Database

Posted by michael on from the autocracker dept.

Ingo Struck writes "The Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."

9 of 68 comments (clear)

  1. Double-edged Sword? by melete · · Score: 4, Interesting

    As always, it sounds like this is a double egded sword -- won't this give script-kiddies a new engine for quickly scanning for possibly vulnerable targets?

    Not that I'm saying this is a bad thing -- it's just one more tools that security professionals will have to use to stay ahead of the competition.

    1. Re:Double-edged Sword? by PaulK · · Score: 4, Informative

      Hmmmm.....

      I suppose I'll have to throw myself on my own sword.

      After digging through the "whisper" entries, it looks as if that is ALL it is... a repository for scripts.

      My apologies. I did read the overview, but it doesn't coincide with the actual database.

      This is disturbing.

  2. All right! by Fly+Ricky+-+The+Wine · · Score: 5, Funny

    Just in time for July 6th!

  3. Wow by Saint+Aardvark · · Score: 3, Funny
    A tool to execute VulnXML records is currently being developed

    Now that's security by obscurity! <rimshot />

    Thank you, ladies and germs, I'll be here all week.

    --
    Carousel is a lie!
  4. well... by LittleBigLui · · Score: 5, Insightful
    It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success.


    so we've just replaced script kiddies with a (very small) shell script?
    --
    Free as in mason.
    1. Re:well... by Anonymous Coward · · Score: 3, Funny

      Why not, we've already replaced advanced virus delivery systems with stupid users who would even be willing to open sexy-fun-i-am-not-a-virus-honest.exe

  5. Sysadmins? by SHEENmaster · · Score: 5, Interesting

    This could also be used to create a "Super" Nessus. Remember that script kiddies and system administrators both use such tools. I think that in the long run, it will help the latter more.

    --
    You can't judge a book by the way it wears its hair.
  6. Yet another.. why? by Knightmare · · Score: 3, Insightful

    I honestly don't see the purpose in this site or the tool being developed to use it. I use Nessus on a daily basis and it seems to work just fine for this task.

    I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts so we can do the tests and Snort rules so we can detect testing.

  7. I think most people are missing this by Michael+Crutcher · · Score: 3, Informative

    From the site:
    This database is intended to enable the maintenance of a peer group based set of XML descriptions for web application attacks.

    Most people here are comparing this to vulnerability scanners like nessus, but acording to the description provided by the website this appears to be something entirely different. It doesn't check for known vulnerabilities versus services, but rather tries various attacks on web applications. I'm sure that something out there has been created along these same lines before, but I've never heard of it. This sounds like a good idea, and an easy way for inexperienced web application designers to insure that they're not vulnerable to a large database of known attacks.

    Sounds pretty cool to me.